It appears that, of late, the US FDA has been tightening the implementation of CFR part 11 regulations regarding maintenance of records in electronic form.
The tremors are being felt now in India since these regulations also affect Indian pharma companies whose drugs are in the US market. Non compliance may lead to FDA warning notices to the Pharma companies.
These regulations not only affect the Pharma companies, seeking FDA clearances for their drugs or equipments, but also the IT companies who provide services to such companies.
Hence “CFR Part 11 compliance” has now become a point of focus even for the Indian IT industry who manufacture software and provide other cloud based services to the FDA regulations exposed entities in USA.
It appears that there has been significant resistance from the US Pharma industry to the regulations to the extent that the regulator himself is apologetic about implementing the regulations in a “narrow” manner, very much unlike the aggressive stance taken by HIPAA regulators.
One of the objections is of course because the industry thinks that compliance will cost a bomb. However, this is only a bogey raised by the industry to escape the regulation.
I wish the Indian stakeholders donot get perturbed by the US tirade that this compliance is expensive and therefore prefer to defer it. I have been working on HIPAA regulatory compliance for Indian Business Associates since more than a decade and assure that this CFR part 11 compliance is neither expensive nor technically problematic.
With my earlier experience on HIPAA compliance and ITA 2008 compliance, I am already in the process of setting up a suitable framework for both Indian Pharma industries and Indian software industries which should make the implementation uncomplicated.
In my considered opinion, if a company implements a good ITA 2008 compliance program, it is not difficult to also be in compliance of CFR part 11.
However most companies at present are not compliant with ITA 2008 and some have only a name sake compliance of ITA 2008. Since the Indian regulatory authorities are not strong on implementation, companies are able to declare themselves to be ITA 2008 compliant though they are really far from being compliant.
Hence even those companies who declare themselves to be ITA 2008 compliant or ISO 27001 compliant or PCI DSS compliant may not pass the muster for CFR Part 11 compliance.
Directors of such companies therefore need to personally look into the requirements of CFR part 11 compliance without going by the assertion of their subordinates that they are compliant either to ITA 2008 or CFR part 11.
If therefore there is any organization in India which is exposed to CFR Part 11 regulations such as
- The Pharma Companies
- Software development company with a product offer to the Pharma companies
- Mobile App development company with a product offer to the Pharma companies
- Cloud service operators who provide hosting and data management services to pharma companies, etc.,
I suggest that they immediately review their compliance program and take steps for compliance as may be required.
I would be happy to provide any further clarification to any company which wants further information on this new domain of compliance.